On Mon, Feb 06, 2006 at 07:36:06PM +0100, Nils Larsch wrote: > Christian Horn wrote: > ... > >>If yes - how is pkcs15-tool -r <ID> supposed to work if the given > >>ID is non-unique. > > > >Looks like one would need an other vector/number to describe, i.e. > >ising ID 1.1 or something. > > > > > >I have an idea for a different implementation: leave the current counting > >of certs as it is. When an application tries to use cert with an ID that > >has no private key with the same ID decrease the ID until we hit the ID > >of an existing private key. That way i could still address all certs on > >the card, which is a problem at the moment with the dirty hack. > >OpenSwan should a) ask for the cert with ID 2 and get it, and b) ask > >for privatekey ID 2 and get it. > > this would require a changes in every application using libopensc > (including pkcs11), hence not a good idea :)
Please make me understand how they would break :) As i see it the only change would be in OpenSC. Just bevore returning a 'could not find private-key with the ID you requested' it would try to get the private-key ID-1 and return that if possible. This would help with OpenSwan for my kind of smartcard. Downsides i see are - applications expecting to get a 'no private-key of that ID there' - making this workaround for a probably low number of cases - the cardtype the workaround is for isnt even fitting into PKCS#11-recommendations Just discovered that signing/encrypting with pkcs15-crypt gives me 'Compute signature failed: Buffer too small' / no message at all, and no output-file, grmpf. Greetings, Christian. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel